Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Could You Do With a Bogus Root Name Server?

Posted by Soulskill on from the root-root-root-for-the-home-team dept.

Barlaam notes a post from the Renesys Blog which follows up on news they discussed a couple weeks ago about the 'identity theft' of a root name server. To emphasize the issue of safeguarding such a system, they've now posted an explanation of exactly how the situation could be exploited. "It shouldn't be too hard to see that you could end up answering every DNS query from an organization that came to you for an updated list of root name servers. Every one. And you might end up doing this for a very long time, especially if your answers were largely correct. An attack like this would have no resemblance to the YouTube hijack, where the entire planet gets a blank page and it's immediately apparent that something isn't right. Obvious events like this will continue to occur, and we'll continue to resolve them relatively quickly. But as this incident demonstrates, DNS hijacks are far less obvious and potentially far more harmful."

18 of 120 comments (clear)

  1. Its simple... by Indes · · Score: 5, Funny

    .. do what we do every night.. try to take over the world!!

    (Seriously, Imagine borrowing every bank's front page in North America .... You could be cashing in big time..... )

    1. Re:Its simple... by Anonymous Coward · · Score: 5, Funny

      I would reroute all of 4chan's traffic to fbi.gov

  2. easy by circletimessquare · · Score: 5, Funny

    i would redirect http://slashdot.org/ to http:///..org

    yeah how funny is it now that the joke is on the other foot biatches!

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  3. Simple recipe by canuck57 · · Score: 5, Insightful

    If you have lost DNS, game is over, you lose. A recipe if your system hits a compromised root server.

    • You open up email to read todays email. You PC looks up pop3.yourisp.com.
    • DNS returns the IP of evil PC to your PC which will connect to it.
    • Next, evil PC will emulate your login, IP address and record the password. Could even be a /. password.
    • Evil pc now has the info needed to read/retrieve your email.

    Better yet, people often use similar IDs and passwords into other systems. Evil hackers can often use the email to figure out which banks, credit, stock brokers and on line e-tailers you use. Maybe change the home address of your Amazon account and order stuff, if the e-tailor isn't right on top of it.

    Root servers need to be secure, end of story.

    I should note the above method would also work with SSL, be creative, it only has to be a legitimate cert with a root chain.

    1. Re:Simple recipe by imipak · · Score: 4, Insightful
      Oh good god, that's just the tip of the iceberg. More likely would be to MitM some large corps' Outlook Web Access or other places where domain credentials are exposed (VPNs and the like.) Wait until you've got a domain admin's password. You now own that entire corp. Now rinse and repeat for government bodies. How hard do you think it would be for the proverbial well-motivated and resourced attacker to trigger off a war in such circumstances?

      Think about it.

    2. Re:Simple recipe by Vellmont · · Score: 4, Informative


      If you have lost DNS, game is over, you lose. A recipe if your system hits a compromised root server.

      Unless you happen to have SSL enabled pop or imap.

      A (revised) recipe for an SSL enabled mail host:
              * You open up email to read todays email. You PC looks up pop3.yourisp.com.
              * DNS returns the IP of evil PC to your PC which will connect to it.
              * Evil PC returns a forged SSL certfificate claiming to be pop3.yourisp.com
              * Your email client brings up an error message saying there's something wrong with this certificate (self signed, etc)
              * You hopefully get suspicious, (this never having happened before), and don't click through.
              * Attack fails.

      If you don't get suspicious, and just click OK, you're right. But the situation isn't quite as dire as you make it out to be. I'd never connect to a non-secure host for something like email.

      --
      AccountKiller
    3. Re:Simple recipe by MushMouth · · Score: 4, Informative

      Amazon makes you re-enter the complete credit card number if you ship to a new address.

  4. Wrote about this in Feb 2006 by karl.auerbach · · Score: 4, Informative

    Back in Febrary 2006 I wrote a note "What Could You Do With Your Own Root Server" at
    http://www.cavebear.com/cbblog-archives/000232.html

    My conclusions were that one could make money and cause trouble.

    One of the more interesting aspects was (and still is) that one could operate root servers and, using the Google model, pay ISPs and users to send their queries to your roots so that you could generate data mining revenues.

    That quality of data that is minded form root traffic would not be as good as that as from a top level domain server - and who has some large top level domains and also has root servers? Verisign.

    And ICANN's contract with Verisign explicitly permits data mining of query traffic.

  5. Re:Hmmm... by tomhudson · · Score: 5, Funny

    You could send all Obama's web traffic to Clinton's web site ... oops, already been done!

  6. Re:I've heard of this new technology... by imipak · · Score: 4, Informative

    I think the OP's referring to TSIG and it's variants.

  7. Re:I've heard of this new technology... by klapaucjusz · · Score: 4, Interesting

    DNSSEC has gone through three (3) mutually incompatible specifications. The DNSSEC people are claiming that the last revision really really works, honest, gov, and that all that remains to be done is deploying it.

    But they don't appear to be deploying it on their own servers.

  8. Re:I've heard of this new technology... by klapaucjusz · · Score: 4, Informative

    But they don't appear to be deploying it on their own servers.

    I've just checked -- and the ISC do sign their zone. Sorry for the mis-information.

  9. That's easy by bconway · · Score: 5, Informative

    World-wide Rickroll?

    --
    Interested in open source engine management for your Subaru?
  10. Re:break everything by milsoRgen · · Score: 4, Interesting

    Actually a 7 day outage might be just enough to wake people up to the importance of patching your infrastructure That and I'm afraid it would awaken certain governments with the sudden realization now is the chance to install a large scale surveillance infrastructure (or something just as evil) all in the name of fighting the terrorists that caused the disturbance. Oh and I'm sure there would be provisions added to enforce copyright while they're at it.
    --
    I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
  11. Obvious first move by PPH · · Score: 5, Funny

    Goatse.cx lives!

    --
    Have gnu, will travel.
  12. Re:I've heard of this new technology... by Anonymous Coward · · Score: 4, Insightful

    Digitally signing every DNS request? Good luck handling the computational load :)

    You don't need to sign the requests, you need to sign the replies. And you only need to compute the signing once, and store the signed value.

  13. Re:break everything by ColdWetDog · · Score: 4, Interesting

    That and I'm afraid it would awaken certain governments with the sudden realization now is the chance to install a large scale surveillance infrastructure (or something just as evil) all in the name of fighting the terrorists that caused the disturbance. Oh and I'm sure there would be provisions added to enforce copyright while they're at it.

    Exactly. If you think the problem is bad now, wait until we've fixed it. (Arthur Kasspe). This should be the motto engraved on every Government departmental seal.

    --
    Faster! Faster! Faster would be better!
  14. Re:they tried that by jonaskoelker · · Score: 5, Funny

    Ooh, I have an idea. We could request only the parts of the file we actually need. Then we could probably do it in real time; the load on the master server will possible get too heavy, though. I know, our ISPs could cache local copies, and we could split the file into hierarchical chunks.

    Hey, I oughta' write up an RFC on this ;)